August 2014 - Posts

As more companies begin to realize the importance of using encryption software like AlertBoot (sometimes prodded by industry regulators and state, federal, and national law), we are beginning to find that data breaches are beginning to shift towards smaller business concerns. Take for example the following story about a yoga studio in Canada.

Laptop Stolen, Cash, and Checks Stolen from SMB

According to niagarathisweek.com, a yoga studio owner experienced a burglary while she took a coffee break. Upon returning from her short rest, she found that someone had stolen her laptop computer, apparently valued at $25 at a pawn shop, as well as the studio's checks and petty cash in the amount of $150 or so.

The computer contained photographs, "confidential client files," and class plans. All in all, it doesn't sound like a terrible data breach, assuming that the confidential client files didn't include financial data or sensitive personal information like SSNs (or their Canadian equivalent).

What does rankle me, though, is the following statement: "Luckily, the computer is password protected, said," the studio owner.

Password-Protection: It's More Marketing Speak than Actual Protection

Password-protection doesn't mean what you think it means. To most, it means security when it comes to a computer and its data. A quick search online will show you that it's anything but. If you need to compare it to things less esoteric than computers and electronic data, compare password-protection to a boom gate (those mechanized arms that prevent your car from entering a public garage until you take the ticket). The analogy is more than apt.

Consider the boom gate. Its purported purpose it is to keep cars outside of an establishment until they are authorized to go in, whether it be by taking a ticket or speaking with someone. But you know from YouTube footage that the only reason this works is because people are ordinarily quite decent: they stop at the boom until it's raised. But in reality, there is nothing stopping someone from just driving through it…and the boom will not stop jack squat.

You might say that the purpose of the boom gate is "to momentarily stop honest, decent people to take a particular action before passing, but mangling any cars, to a certain degree, that don't do so…before they pass anyway."

Password-protection is similar in nature. It stops honest people from accessing the computer, but there are plenty of easy (and free) ways to get around it if one really resolves to do so. Again, an online search will confirm this.

At this point, password-protection might as well be meaningless marketing speak. But, most people don't know this – you need a certain degree of expertise when it comes to such matters. Big companies hire experts, so they know not to rely on password-protection (they'll go for something like managed disk encryption from us), but smaller companies are at a disadvantage.

So, how to rectify the problem? My guess is as good as yours. Short of educating people as they setup their businesses (as they are registering their business with the state, for example), there is no easy approaches to the problem.

When you consider the furor that has been raised over HIPAA data breaches for the past five years – and the fact that it has contributed heavily towards medical organizations investing in the use of medical file encryption software like AlertBoot – it boggles the mind that we can still come across such a story as this one: according to phiprivacy.net, Jersey City Medical Center sent unencrypted PHI to a third party via a parcel delivery service.

Possibly the most damning aspect of this story is this particular assurance: "The Medical Center has now implemented measures to avoid similar incidents in the future, including prohibiting the transmission of unencrypted CDs containing patient information."

Considering that the date to implement all aspects of the HIPAA Final Omnibus has passed considerably, it wouldn't surprise me if the HHS/OCR immediately starts an investigation into this case.

SSNs, Names, and Other PHI Involved

According to the breach notification letter template filed with the Vermont Attorney General's office, the data breach occurred sometime between June 13 and June 16 (or July 22, depending on your point of view), when a package wasn't delivered and United Parcel Service couldn't find it within their system. (As convenient as it may be, it would be unfair to blame UPS for the data breach. All package delivery services have a history of losing items. For example, FedEx once lost nuclear rods.)

The lost package contained a CD full of protected health information (PHI), including names and Social Security numbers. E-mails are contained date of birth, a Medical Center ID number, gender, admission and discharge dates, and other medical information.

In light of the information that was included in the CD, it is shocking that encryption software was not used to protect its contents. After all, the information was leaving the medical center's data security perimeter and so required some kind of data protection other than UPS's policies (which, if I remember correctly, generally tend to absolve the company from any responsibility).

HIPAA File Encryption: Chances Are You Need It

Why do companies continue to insist in mailing sensitive information without adequate protection? There are a number of reasons. It could be plain and simple oversight. It may not be possible for financial reasons. But sometimes the reason is technical.

The problem with file encryption is that you still need the way to exchange the encryption key or the password. You can't send it with the file itself as that defeats the purpose. An easy way around it is to contact the recipient and reveal the password, such as giving them a call or sending it via e-mail.

But there are those instances where such actions do not help. Generally, the sender and recipient need to have the same encryption program for any of this to work. More often than not, the recipient does not access to the software that the sender used to encrypt the file. Without it, the recipient is unable to decrypt the file and use the data even if the correct password is in possession. Due to the technical limitations, encryption becomes an unviable solution and an alternative (or nothing at all) is used.

How does one get around this conundrum? AlertBoot will be releasing a new service next year that will resolve this problem as well as addressing other security concerns involving encrypted file exchanges.

According to the Irish independent.ie, a laptop computer belonging to a garda (that is, an Irish National Police personnel) has been found in a brothel in Amsterdam. The short and rather uninformative article is full of puns and fun – and veers off to some data security indiscretions the Gardai have had in the past – but it's a reminder of why using laptop encryption software like AlertBoot is essential when it comes to devices with sensitive data.

Heart of Gold

The laptop computer, and the bag it came in, was found by a worker at the Amsterdam establishment. She got in touch with the Dutch authorities who contacted their Irish counterparts. The laptop was returned to the Gardai using "a secure postal system."

It was not mentioned whether the computer itself was secured in anyway but it was expressed that "there are fears that some security may have been compromised due to sensitive data on the computer" (again, laptop disk encryption would have ensured data integrity).

The authorities are currently trying to figure out "how the individual's bag was found in the brothel," although the real question is more likely why. For example, something similar to a restaurant's dining and dashing? Or perhaps things were quite mind-blowing and the garda lost his faculties?

Infantile questions aside and getting down to business, there's a valid concern on trying to find out how the laptop was found where it was found. For example, the laptop could have been stolen and taken to the brothel by a thief.

And, even if the garda himself was responsible for leaving it behind, let's not forget that there is minimal stigma in Europe for visiting houses of pleasure, and nothing illegal has taken place. If we were to take morality out of the equation, it wouldn't be too different from leaving behind a laptop with sensitive data at a McDonald's.

There should be consequences, however, depending on whether the laptop was protected with encryption or not. As history has shown, people will leave things behind by accident. Important things. Sometimes, items are stolen. Important items. So, knowing that you're going around with a laptop with sensitive data, it would be nearly criminal not to have had it secured.

Especially if (a) your organization has had a history of data breaches, (b) your government basically requires it (although they haven't codified into actual law), or (c) the situation – losing a laptop – is so critical that Europol gets involved.

How much thought has your healthcare organization given to encryption? With technological advancement comes great responsibility, and when your patients’ health information is at risk, protecting your data should be a top priority.

Encryption can be the safeguard you need to prevent a security breach. Through full-disk or file encryption, your patients’ health information will be more secure.

In this article, Tim Maliyil explains why encryption is a necessity for all healthcare organizations.

The Wall Street Journal has an article on how certain executives are questioning the value of notifying the general public on company data breaches. The pay-walled article notes that there are valid reasons against more transparency.

The thing is, most of these so-called reasons are self-serving – which is why 47 states have laws requiring breach notification. Plus, the article lays out certain practices that makes one wonder whether they understand how the law works.

Can't Sue If They Don't Know, Might Tip Off Criminals

Some of the reasons given against more transparency are semi-comical. One executive said that "'there is this crazy hysteria," about cyberattacks" which I'm going to assume is meant for data breaches in general and not just cyberattacks (aka, attacking online servers). It is also pointed out that "not every corporate document is a valuable trade secret; credit-card numbers may....never [be] used."

Regarding the hysteria: just because it feels crazy doesn't mean it's not real. Identity theft is usually the end product of a data breach and, according to a 2013 Bureau of Justice Statistics report, 16.6 million people experienced identity theft in 2012, with financial losses totaling $24.7 billion. Put in this light, it's crazy that more isn't done to curtail data breaches.

But, wait, contrarians might say. Not all data breaches do result in sensitive information being stolen. Also, as already pointed out above, just because it's stolen, it doesn't mean it will be used. The first charge is a moot point. Data breach laws do not require that all data breaches be reported. By and large, the laws require notification if sensitive personal data is lost or stolen.

As to the second observation, the premise is so infantile that I would have to retort with a childish "so what?" How would a company that has experienced a personal information data breach know whether the stolen information will be used or not? They can't. That's the point; that's why the public at large is notified of it. So they can check their bank statements or whatever it is they have to do.

Plus, the logic itself doesn't make any sense. Let's use the same exact parallels to argue about guns, shall we? Hey, someone stole my gun, but we all know that most guns are not used in crimes. Thus, chances are that the gun will not be used in a crime. Hence, the theft doesn't really represent a threat – after all, it could be hanging on someone's wall, being admired by the thief. No need to let anyone know that the gun was stolen; chances are nothing will come out of it.

Does this sound reasonable to you?

My jaw also hit the floor when I read this particular line: "If you never disclose the breach at all, then you don't have class-action suits," said one particular lawyer.

*Sigh*. While I don't doubt that there are many organizations actively hiding data breaches for this exact reason, it sounds quite wrong for it to come out of the mouth of a lawyer from a respected firm. My hope is that he has either been misquoted or quoted out of context. If I may offer this observation, to show how wrong the statement happens to be: if you kill a man, give him cement shoes, dump him in the Hudson, and never disclose it at all, then you don't get arrested.

Verbal Legal Wrangling

There was also another aspect that left me scratching my head and wondering whether people knew what they were doing (my emphases):

In hacker simulations, the company has mapped out one response for a data breach it discovers on its own and another if it's alerted by law enforcement or a journalist. But "we actually don't use the term breach," because that could trigger disclosure laws, Ms. Hutchinson said.

[...]

She said she might recommend telling consumers about a hacking incident, but only after extensive analysis. Announcing "anything earlier than three months, in my opinion, would be too quick," Ms. Hutchinson said.

I guess it depends on which laws Ms. Hutchinson is referring to, but the laws that I know (state laws) have very specific definitions of what a data breach constitutes – meaning how you decide to classify something has very little bearing. You can't claim something is not a data breach just because you've decided to call it a "coconut chocolate bar" and refer to it as such in your internal memos.

Of course, we can all appreciate that the breached companies are victims, too. But I think the public's cynicism and lawsuit-happy trigger-fingers are most probably a result of such attitudes like the above.

Delaware has passed a law (which becomes effective on January 1, 2015) declaring that "commercial entities" must destroy any personally identifiable information (PII) belonging to consumers that is "no longer to be retained by the commercial entity." In other words, when disposing of PII, commercial entities must destroy customers' information. Of course, like most legislation, you have to take a look at the details.

Among them: encrypted data is not affected by this law, in effect creating a safe harbor clause. What this means, it looks like, is that you're allowed to dispose of computers with disk encryption without any additional work to be done on them

Definition of Commercial Entity

One of the more surprising twists of the law is how the Delaware law opted to define "commercial entity." According to jdsupra.com, the definition is overly broad and thus will

You might be thinking, "well...that doesn't appear overly broad at all. It sounds reasonable." Except, there is this caveat:

The definition, however, raises the question of whether the new requirements apply just to entities doing business in Delaware, or if it also extends to entities formed in Delaware regardless of where they transact business. Given the number of companies incorporated in Delaware, the resolution of this ambiguity could have significant implications nationally.

The author at jdsupra.com notes that there are signs of restraint (HIPAA covered entities are not exempted from the law, for example), but it seems to me that, just because there are signs of restraint, it doesn't mean that the above quoted section is meant to be interpreted with restraints.

For example, in 2011, Texas amended its Business and Commerce Code Section, 521.053 so that residents across the USA (possibly the world) are notified of data breaches if the business in question (that experienced the breach) did business in Texas. If I'm not mistaken, an out was given for particular commercial entities that were covered by other data breach laws, such as HIPAA. The Delaware law could also be aiming to have similar reach.

Defining Personal Information

In addition, the law defines personal information as follows (my emphasis):

a consumer's first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: social security number, passport number, driver's license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information.

In other words, the law made an effort to ensure that it didn't unnecessarily burden companies or create legal oddities. For example, is the Yellow Pages in breach of the law if someone tosses their freely delivered canary tome? It shouldn't be in principle, and it won't be legally, either. On the other hand, you really don't need the correct name to make use of an SSN.

Yet Another Up Vote for Encryption

As more laws are passed addressing the issue of personal information security, the more they seem to include exceptions for data protected with encryption software. Why?

Well, you could grab your roll of aluminum foil and proclaim that the government is in cahoots with the encryption industry. But the truth of the matter is that encryption is one of the most effective ways of securing data from being accessed by unauthorized eyes. Not only is it effective, the cost-to-benefit ratio is unprecedented: when the US government must throw all of its computing resources to break into a machine protected with $100 worth of software (and possibly fail in the process), that's a lot of bang for your buck.

You can also assume the protection will be at least doubly effective if it's someone else trying to break in and doesn't have comparable resources.